Difference between revisions of "Implemented Standards"

From Libreswan
Jump to navigation Jump to search
m (title)
(put standard colum on lhs)
Line 7: Line 7:
 
== IKEv1 ==
 
== IKEv1 ==
 
{| class="wikitable"
 
{| class="wikitable"
! style="text-align:left;" | Status
 
 
! style="text-align:left;" | Standard
 
! style="text-align:left;" | Standard
 
! style="text-align:left;" | Description
 
! style="text-align:left;" | Description
 +
! style="text-align:left;" | Status
 
! style="text-align:left;" | Comments
 
! style="text-align:left;" | Comments
 
|-
 
|-
| v
 
 
| [http://tools.ietf.org/html/rfc2407 RFC 2407]
 
| [http://tools.ietf.org/html/rfc2407 RFC 2407]
 
| IPsec Domain of Interpretation for ISAKMP (IPsec DoI)
 
| IPsec Domain of Interpretation for ISAKMP (IPsec DoI)
|  
+
| v
 +
|
 
|-
 
|-
| v
 
 
| [http://tools.ietf.org/html/rfc2408 RFC 2408]
 
| [http://tools.ietf.org/html/rfc2408 RFC 2408]
 
| Internet Security Association and Key Management Protocol (ISAKMP)
 
| Internet Security Association and Key Management Protocol (ISAKMP)
 +
| v
 
|
 
|
 
|-
 
|-
| v
 
 
| [http://tools.ietf.org/html/rfc2409 RFC 2409]
 
| [http://tools.ietf.org/html/rfc2409 RFC 2409]
 
| Internet Key Exchange (IKE)
 
| Internet Key Exchange (IKE)
 +
| v
 
| Revised Mode not implemented
 
| Revised Mode not implemented
 
|-
 
|-
| v
 
 
| [https://tools.ietf.org/html/rfc3526 RFC 3526]
 
| [https://tools.ietf.org/html/rfc3526 RFC 3526]
 
| More Modular Exponential (MODP) Diffie-Hellman groups
 
| More Modular Exponential (MODP) Diffie-Hellman groups
 +
| v
 
|
 
|
 
|-
 
|-
| v
 
 
| [https://tools.ietf.org/html/rfc3706 RFC 3706]
 
| [https://tools.ietf.org/html/rfc3706 RFC 3706]
 
| A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers
 
| A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers
 +
| v
 
| known as "DPD"
 
| known as "DPD"
 
|-
 
|-
| v
 
 
| [https://tools.ietf.org/html/3947 RFC 3947]
 
| [https://tools.ietf.org/html/3947 RFC 3947]
 
| Negotiation of NAT-Traversal in the IKE
 
| Negotiation of NAT-Traversal in the IKE
 +
| v
 
| known as "NATT" or "ESPinUDP"
 
| known as "NATT" or "ESPinUDP"
 
|-
 
|-
| v
 
 
| [http://tools.ietf.org/html/draft-dukes-ike-mode-cfg draft-dukes-ike-mode-cfg]
 
| [http://tools.ietf.org/html/draft-dukes-ike-mode-cfg draft-dukes-ike-mode-cfg]
 
| The ISAKMP Configuration Method
 
| The ISAKMP Configuration Method
 +
| v
 
|
 
|
 
|-
 
|-
| v
 
 
| [http://tools.ietf.org/html/draft-ietf-ipsec-isakmp-xauth draft-ietf-ipsec-isakmp-xauth]
 
| [http://tools.ietf.org/html/draft-ietf-ipsec-isakmp-xauth draft-ietf-ipsec-isakmp-xauth]
 
| Extended Authentication within ISAKMP/Oakley (XAUTH)
 
| Extended Authentication within ISAKMP/Oakley (XAUTH)
 +
| v
 
|
 
|
 
|-
 
|-
| v
 
 
| [http://tools.ietf.org/html/draft-jenkins-ipsec-rekeying-06 draft-jenkins-ipsec-rekeying]
 
| [http://tools.ietf.org/html/draft-jenkins-ipsec-rekeying-06 draft-jenkins-ipsec-rekeying]
 
| IPsec Re-keying Issues
 
| IPsec Re-keying Issues
 +
| v
 
| Implementation differs on some point but accomplishes the same
 
| Implementation differs on some point but accomplishes the same
 
|-
 
|-
| X
 
 
| [http://tools.ietf.org/html/draft-ietf-ipsec-isakmp-hybrid-auth  draft-ietf-ipsec-isakmp-hybrid-auth]
 
| [http://tools.ietf.org/html/draft-ietf-ipsec-isakmp-hybrid-auth  draft-ietf-ipsec-isakmp-hybrid-auth]
 
| A Hybrid Authentication Mode for IKE
 
| A Hybrid Authentication Mode for IKE
 +
| X
 
|
 
|
 
|-
 
|-
Line 67: Line 67:
  
 
{| class="wikitable"
 
{| class="wikitable"
! style="text-align:left;" | Status
 
 
! style="text-align:left;" | Standard
 
! style="text-align:left;" | Standard
 
! style="text-align:left;" | Description
 
! style="text-align:left;" | Description
 +
! style="text-align:left;" | Status
 
! style="text-align:left;" | Comments
 
! style="text-align:left;" | Comments
 
|-
 
|-
| v
 
 
| [http://tools.ietf.org/html/rfc4307 RFC 4307]
 
| [http://tools.ietf.org/html/rfc4307 RFC 4307]
 
| Cryptographic Algorithms for Use in the Internet Key Exchange Version 2 (IKEv2)
 
| Cryptographic Algorithms for Use in the Internet Key Exchange Version 2 (IKEv2)
 +
| v
 
| Obsoleted by [http://tools.ietf.org/html/rfc8247 RFC 8247]
 
| Obsoleted by [http://tools.ietf.org/html/rfc8247 RFC 8247]
 
|-
 
|-
| v
 
 
| [http://tools.ietf.org/html/rfc7296 RFC 7296]
 
| [http://tools.ietf.org/html/rfc7296 RFC 7296]
 
| Internet Key Exchange Protocol Version 2 (IKEv2)
 
| Internet Key Exchange Protocol Version 2 (IKEv2)
 +
| v
 
| Obsoletes [http://tools.ietf.org/html/rfc5996 RFC 5996] and [http://tools.ietf.org/html/rfc4718 RFC 4718]
 
| Obsoletes [http://tools.ietf.org/html/rfc5996 RFC 5996] and [http://tools.ietf.org/html/rfc4718 RFC 4718]
 
|-
 
|-
| X
 
 
| [http://tools.ietf.org/html/rfc7815 RFC 7815]
 
| [http://tools.ietf.org/html/rfc7815 RFC 7815]
 
| Minimal Internet Key Exchange Version 2 (IKEv2) Initiator Implementation
 
| Minimal Internet Key Exchange Version 2 (IKEv2) Initiator Implementation
 +
| X
 
| This is a really just a subset of IKEv2 [http://tools.ietf.org/html/rfc7296 RFC 7296]
 
| This is a really just a subset of IKEv2 [http://tools.ietf.org/html/rfc7296 RFC 7296]
 
|-
 
|-
| p
 
 
| [https://tools.ietf.org/html/rfc4478 RFC 4478]
 
| [https://tools.ietf.org/html/rfc4478 RFC 4478]
 
| Repeated Authentication in Internet Key Exchange (IKEv2) Protocol
 
| Repeated Authentication in Internet Key Exchange (IKEv2) Protocol
 +
| p
 
|
 
|
 
|-
 
|-
| v
 
 
| [https://tools.ietf.org/html/rfc4555 RFC 4555]
 
| [https://tools.ietf.org/html/rfc4555 RFC 4555]
 
| IKEv2 Mobility and Multihoming Protocol (MOBIKE)
 
| IKEv2 Mobility and Multihoming Protocol (MOBIKE)
 +
| v
 
| "Additional Addresses" not supported
 
| "Additional Addresses" not supported
 
|-
 
|-
| -
 
 
| [https://tools.ietf.org/html/rfc4595 RFC 4595]
 
| [https://tools.ietf.org/html/rfc4595 RFC 4595]
 
| Use of IKEv2 in the Fibre Channel Security Association Management Protocol
 
| Use of IKEv2 in the Fibre Channel Security Association Management Protocol
 +
| -
 
|
 
|
 
|-
 
|-
| p
 
 
| [https://tools.ietf.org/html/rfc4615 RFC 4615]
 
| [https://tools.ietf.org/html/rfc4615 RFC 4615]
 
| The AES-Cipher-based Message Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128) Algorithm for IKE
 
| The AES-Cipher-based Message Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128) Algorithm for IKE
 +
| p
 
| CMAC is supoorted as INTEG (for ESP/IKE) but not as PRF(for IKE) - this is pending support in the NSS library.
 
| CMAC is supoorted as INTEG (for ESP/IKE) but not as PRF(for IKE) - this is pending support in the NSS library.
 
|-
 
|-
| N/A
 
 
| [https://tools.ietf.org/html/rfc4621 RFC 4621]
 
| [https://tools.ietf.org/html/rfc4621 RFC 4621]
 
| Design of the IKEv2 Mobility and Multihoming (MOBIKE) Protocol
 
| Design of the IKEv2 Mobility and Multihoming (MOBIKE) Protocol
 +
| N/A
 
|
 
|
 
|-
 
|-
| p
 
 
| [https://tools.ietf.org/html/rfc4739 RFC 4739]
 
| [https://tools.ietf.org/html/rfc4739 RFC 4739]
 
| Multiple Authentication Exchanges in the IKEv2 Protocol
 
| Multiple Authentication Exchanges in the IKEv2 Protocol
 +
| p
 
|
 
|
 
|-
 
|-
| v
 
 
| [https://tools.ietf.org/html/rfc4754 RFC 4754]
 
| [https://tools.ietf.org/html/rfc4754 RFC 4754]
 
| IKE and IKEv2 Authentication Using the Elliptic Curve Digital Signature Algorithm (ECDSA)
 
| IKE and IKEv2 Authentication Using the Elliptic Curve Digital Signature Algorithm (ECDSA)
| Added in 3.26
+
| v3.26
 +
|
 
|-
 
|-
| -
 
 
| [https://tools.ietf.org/html/rfc4806 RFC 4806]
 
| [https://tools.ietf.org/html/rfc4806 RFC 4806]
 
| Online Certificate Status Protocol (OCSP) Extensions to IKEv2
 
| Online Certificate Status Protocol (OCSP) Extensions to IKEv2
 +
| -
 
| Regular OCSP fetching outside of IKE is supported.
 
| Regular OCSP fetching outside of IKE is supported.
 
|-
 
|-
| -
 
 
| [https://tools.ietf.org/html/rfc5026 RFC 5026]
 
| [https://tools.ietf.org/html/rfc5026 RFC 5026]
 
| Mobile IPv6 Bootstrapping in Split Scenario
 
| Mobile IPv6 Bootstrapping in Split Scenario
 +
| -
 
|
 
|
 
|-
 
|-
| v
 
 
| [https://tools.ietf.org/html/rfc5282 RFC 5282]
 
| [https://tools.ietf.org/html/rfc5282 RFC 5282]
 
| Using Authenticated Encryption Algorithms with the Encrypted Payload of the IKEv2 Protocol
 
| Using Authenticated Encryption Algorithms with the Encrypted Payload of the IKEv2 Protocol
 +
| v
 
| Only AES_GCM is implemented. AES_CCM requires support in the nss library
 
| Only AES_GCM is implemented. AES_CCM requires support in the nss library
 
|-
 
|-
| v
 
 
| [https://tools.ietf.org/html/rfc5685 RFC 5685]
 
| [https://tools.ietf.org/html/rfc5685 RFC 5685]
 
| Redirect Mechanism for IKEv2
 
| Redirect Mechanism for IKEv2
| Added in 3.28
+
| v3.28
 +
|
 
|-
 
|-
| -
 
 
| [https://tools.ietf.org/html/rfc5857 RFC 5857]
 
| [https://tools.ietf.org/html/rfc5857 RFC 5857]
 
| IKEv2 Extensions to Support Robust Header Compression over IPsec
 
| IKEv2 Extensions to Support Robust Header Compression over IPsec
 +
| -
 
|
 
|
 
|-
 
|-
| p
 
 
| [https://tools.ietf.org/html/rfc5723 RFC 5723]
 
| [https://tools.ietf.org/html/rfc5723 RFC 5723]
 
| Internet Key Exchange Protocol Version 2 (IKEv2) Session Resumption
 
| Internet Key Exchange Protocol Version 2 (IKEv2) Session Resumption
 +
| p
 
|
 
|
 
|-
 
|-
| -
 
 
| [https://tools.ietf.org/html/rfc5739 RFC 5739]
 
| [https://tools.ietf.org/html/rfc5739 RFC 5739]
 
| IPv6 Configuration in Internet Key Exchange Protocol Version 2 (IKEv2)
 
| IPv6 Configuration in Internet Key Exchange Protocol Version 2 (IKEv2)
 +
| -
 
|
 
|
 
|-
 
|-
| v
 
 
| [https://tools.ietf.org/html/rfc5903 RFC 5903]
 
| [https://tools.ietf.org/html/rfc5903 RFC 5903]
 
| ECP Groups for IKE and IKEv2
 
| ECP Groups for IKE and IKEv2
 +
| v
 
|
 
|
 
|-
 
|-
| v
 
 
| [https://tools.ietf.org/html/rfc5930 RFC 5930]
 
| [https://tools.ietf.org/html/rfc5930 RFC 5930]
 
| Using Advanced Encryption Standard Counter Mode (AES-CTR) with the Internet Key Exchange version 02 (IKEv2) Protocol
 
| Using Advanced Encryption Standard Counter Mode (AES-CTR) with the Internet Key Exchange version 02 (IKEv2) Protocol
 +
| v
 
|
 
|
 
|-
 
|-
| -
 
 
| [https://tools.ietf.org/html/rfc5998 RFC 5998]
 
| [https://tools.ietf.org/html/rfc5998 RFC 5998]
 
| An Extension for EAP-only Authentication in IKEv2
 
| An Extension for EAP-only Authentication in IKEv2
 +
| -
 
|
 
|
 
|-
 
|-
| -
 
 
| [https://tools.ietf.org/html/rfc6023 RFC 6023]
 
| [https://tools.ietf.org/html/rfc6023 RFC 6023]
 
| A Childless Initiation of the Internet Key Exchange Version 2 (IKEv2) Security Association (SA)
 
| A Childless Initiation of the Internet Key Exchange Version 2 (IKEv2) Security Association (SA)
 +
| -
 
|
 
|
 
|-
 
|-
| N/A
 
 
| [https://tools.ietf.org/html/rfc6027 RFC 6027]
 
| [https://tools.ietf.org/html/rfc6027 RFC 6027]
 
| IPsec Cluster Problem Statement
 
| IPsec Cluster Problem Statement
 +
| N/A
 
|
 
|
 
|-
 
|-
| -
 
 
| [https://tools.ietf.org/html/rfc6290 RFC 6290]
 
| [https://tools.ietf.org/html/rfc6290 RFC 6290]
 
| A Quick Crash Detection Method for the Internet Key Exchange Protocol (IKE)
 
| A Quick Crash Detection Method for the Internet Key Exchange Protocol (IKE)
 +
| -
 
|
 
|
 
|-
 
|-
| -
 
 
| [https://tools.ietf.org/html/rfc6311 RFC 6311]
 
| [https://tools.ietf.org/html/rfc6311 RFC 6311]
 
| Protocol Support for High Availability of IKEv2/IPsec
 
| Protocol Support for High Availability of IKEv2/IPsec
 +
| -
 
|
 
|
 
|-
 
|-
| -
 
 
| [https://tools.ietf.org/html/rfc6467 RFC 6467]
 
| [https://tools.ietf.org/html/rfc6467 RFC 6467]
 
| Secure Password Framework for IKEv2
 
| Secure Password Framework for IKEv2
 +
| -
 
|
 
|
 
|-
 
|-
| -
 
 
| [https://tools.ietf.org/html/rfc6617 RFC 6617]
 
| [https://tools.ietf.org/html/rfc6617 RFC 6617]
 
| Secure Pre-Shared Key (PSK) Authentication for the Internet Key Exchange Protocol (IKE)
 
| Secure Pre-Shared Key (PSK) Authentication for the Internet Key Exchange Protocol (IKE)
 +
| -
 
|
 
|
 
|-
 
|-
| -
 
 
| [https://tools.ietf.org/html/rfc6628 RFC 6628]
 
| [https://tools.ietf.org/html/rfc6628 RFC 6628]
 
| Efficient Augmented Password-Only Authentication and Key Exchange for IKEv2
 
| Efficient Augmented Password-Only Authentication and Key Exchange for IKEv2
 +
| -
 
|
 
|
 
|-
 
|-
| -
 
 
| [https://tools.ietf.org/html/rfc6631 RFC 6631]
 
| [https://tools.ietf.org/html/rfc6631 RFC 6631]
 
| Password Authenticated Connection Establishment with IKEv2
 
| Password Authenticated Connection Establishment with IKEv2
 +
| -
 
|
 
|
 
|-
 
|-
| -
 
 
| [https://tools.ietf.org/html/rfc6867 RFC 6867]
 
| [https://tools.ietf.org/html/rfc6867 RFC 6867]
 
| An Internet Key Exchange Protocol Version 2 (IKEv2) Extension to Support EAP Re-authentication Protocol (ERP)
 
| An Internet Key Exchange Protocol Version 2 (IKEv2) Extension to Support EAP Re-authentication Protocol (ERP)
 +
| -
 
|
 
|
 
|-
 
|-
| -
 
 
| [https://tools.ietf.org/html/rfc6932 RFC 6932]
 
| [https://tools.ietf.org/html/rfc6932 RFC 6932]
 
| Brainpool Elliptic Curves for the IKE Group Description Registry
 
| Brainpool Elliptic Curves for the IKE Group Description Registry
 +
| -
 
|
 
|
 
|-
 
|-
| -
 
 
| [https://tools.ietf.org/html/rfc6954 RFC 6954]
 
| [https://tools.ietf.org/html/rfc6954 RFC 6954]
 
| Using the Elliptic Curve Cryptography (ECC) Brainpool Curves for the Internet Key Exchange Protocol Version 2 (IKEv2)
 
| Using the Elliptic Curve Cryptography (ECC) Brainpool Curves for the Internet Key Exchange Protocol Version 2 (IKEv2)
 +
| -
 
|  
 
|  
 
|-
 
|-
| N/A
 
 
| [https://tools.ietf.org/html/rfc6989 RFC 6989]
 
| [https://tools.ietf.org/html/rfc6989 RFC 6989]
 
| Additional Diffie-Hellman Tests for the Internet Key Exchange Protocol Version 2 (IKEv2)
 
| Additional Diffie-Hellman Tests for the Internet Key Exchange Protocol Version 2 (IKEv2)
 +
| N/A
 
| This work is or needs to be done inside the nss library
 
| This work is or needs to be done inside the nss library
 
|-
 
|-
| v
 
 
| [https://tools.ietf.org/html/rfc7383 RFC 7383]
 
| [https://tools.ietf.org/html/rfc7383 RFC 7383]
 
| Internet Key Exchange Protocol Version 2 (IKEv2) Message Fragmentation
 
| Internet Key Exchange Protocol Version 2 (IKEv2) Message Fragmentation
 +
| v
 
|
 
|
 
|-
 
|-
| v
 
 
| [https://tools.ietf.org/html/rfc7427 RFC 7427]
 
| [https://tools.ietf.org/html/rfc7427 RFC 7427]
 
| Signature Authentication in the Internet Key Exchange Version 2 (IKEv2)
 
| Signature Authentication in the Internet Key Exchange Version 2 (IKEv2)
 +
| v
 
| Initial implementation only supports RSA-v1.5. More planned in near future
 
| Initial implementation only supports RSA-v1.5. More planned in near future
 
|-
 
|-
| v
 
 
| [https://tools.ietf.org/html/rfc7619 RFC 7619]
 
| [https://tools.ietf.org/html/rfc7619 RFC 7619]
 
| The NULL Authentication Method in the Internet Key Exchange Protocol Version 2 (IKEv2)
 
| The NULL Authentication Method in the Internet Key Exchange Protocol Version 2 (IKEv2)
 +
| v
 
|
 
|
 
|-
 
|-
| v
 
 
| [https://tools.ietf.org/html/rfc7634 RFC 7634]
 
| [https://tools.ietf.org/html/rfc7634 RFC 7634]
 
| ChaCha20, Poly1305, and Their Use in the IKE Protocol and IPsec
 
| ChaCha20, Poly1305, and Their Use in the IKE Protocol and IPsec
| Added in 3.26
+
| v3.26
 +
|
 
|-
 
|-
| -
 
 
| [https://tools.ietf.org/html/rfc7651 RFC 7651]
 
| [https://tools.ietf.org/html/rfc7651 RFC 7651]
 
| 3GPP IP Multimedia Subsystems (IMS) Option for the Internet Key Exchange Protocol Version 2 (IKEv2)
 
| 3GPP IP Multimedia Subsystems (IMS) Option for the Internet Key Exchange Protocol Version 2 (IKEv2)
 +
| -
 
|
 
|
 
|-
 
|-
| p
 
 
| [https://tools.ietf.org/html/rfc7670 RFC 7670]
 
| [https://tools.ietf.org/html/rfc7670 RFC 7670]
 
| Generic Raw Public-Key Support for IKEv2
 
| Generic Raw Public-Key Support for IKEv2
 +
| p
 
| raw RSA public keys are supported using the core IKE RFCs
 
| raw RSA public keys are supported using the core IKE RFCs
 
|-
 
|-
 +
| [https://tools.ietf.org/html/rfc8019 RFC 8019]
 +
| Protecting Internet Key Exchange Protocol Version 2 (IKEv2) Implementations from Distributed Denial-of-Service Attacks
 
| -
 
| -
| [https://tools.ietf.org/html/rfc8019 RFC 8019]
 
| Protecting Internet Key Exchange Protocol Version 2 (IKEv2) Implementations from Distributed Denial-of-Service Attacks
 
 
|
 
|
 
|-
 
|-
| v
 
 
| [https://tools.ietf.org/html/rfc8247 RFC 8247]
 
| [https://tools.ietf.org/html/rfc8247 RFC 8247]
 
| Algorithm Implementation Requirements and Usage Guidance for the Internet Key Exchange Protocol Version 2 (IKEv2)
 
| Algorithm Implementation Requirements and Usage Guidance for the Internet Key Exchange Protocol Version 2 (IKEv2)
 +
| v
 
|
 
|
 
|-
 
|-
| v
 
 
| [https://tools.ietf.org/html/rfc8229 RFC 8229]
 
| [https://tools.ietf.org/html/rfc8229 RFC 8229]
 
| TCP Encapsulation of IKE and IPsec Packets
 
| TCP Encapsulation of IKE and IPsec Packets
 +
| v
 
| IKE over TCP implemented - waiting on Linux kernel for ESP over TCP implementation. Does not currently support IKE/ESP over TLS
 
| IKE over TCP implemented - waiting on Linux kernel for ESP over TCP implementation. Does not currently support IKE/ESP over TLS
 
|-
 
|-
| v
 
 
| [https://datatracker.ietf.org/doc/rfc8784/ RFC 8784]
 
| [https://datatracker.ietf.org/doc/rfc8784/ RFC 8784]
 
| Postquantum Preshared Keys for IKEv2
 
| Postquantum Preshared Keys for IKEv2
| Added in 3.25
+
| v3.25
 +
|
 
|-
 
|-
| -
 
 
| [https://tools.ietf.org/html/draft-brunner-ikev2-mediation draft-brunner-ikev2-mediation]
 
| [https://tools.ietf.org/html/draft-brunner-ikev2-mediation draft-brunner-ikev2-mediation]
 
| IKEv2 Mediation Extension
 
| IKEv2 Mediation Extension
 +
| -
 
|
 
|
 
|-
 
|-
 +
| [https://tools.ietf.org/html/draft-laganier-ike-ipv6-cga draft-laganier-ike-ipv6-cga]
 +
| Using IKE with IPv6 Cryptographically Generated Addresses
 
| -
 
| -
| [https://tools.ietf.org/html/draft-laganier-ike-ipv6-cga draft-laganier-ike-ipv6-cga]
 
|  Using IKE with IPv6 Cryptographically Generated Addresses
 
 
|
 
|
 
|-
 
|-
| p
 
 
| [https://tools.ietf.org/html/draft-ietf-ipsecme-split-dns draft-ietf-ipsecme-split-dns]
 
| [https://tools.ietf.org/html/draft-ietf-ipsecme-split-dns draft-ietf-ipsecme-split-dns]
 
| Split DNS Configuration for IKEv2
 
| Split DNS Configuration for IKEv2
 +
| p
 
| INTERNAL_DOMAIN implemented, INTERNAL_TA_DNSSEC not yet implemented
 
| INTERNAL_DOMAIN implemented, INTERNAL_TA_DNSSEC not yet implemented
 
|-
 
|-
| v
 
 
| [https://tools.ietf.org/html/draft-ietf-ipsecme-ikev2-intermediate draft-ietf-ipsecme-ikev2-intermediate]
 
| [https://tools.ietf.org/html/draft-ietf-ipsecme-ikev2-intermediate draft-ietf-ipsecme-ikev2-intermediate]
 
| Intermediate Exchange in the IKEv2 Protocol
 
| Intermediate Exchange in the IKEv2 Protocol
 +
| v
 
| Experimental
 
| Experimental
 
|-
 
|-
| v4.4
 
 
| [https://tools.ietf.org/html/draft-ietf-ipsecme-labeled-ipsec draft-ietf-ipsecme-labeled-ipsec]
 
| [https://tools.ietf.org/html/draft-ietf-ipsecme-labeled-ipsec draft-ietf-ipsecme-labeled-ipsec]
 
| Labeled IPsec Traffic Selector support for IKEv2
 
| Labeled IPsec Traffic Selector support for IKEv2
 +
| v4.4
 
| Internet-Draft
 
| Internet-Draft
 
|-
 
|-
Line 312: Line 312:
  
 
{| class="wikitable"
 
{| class="wikitable"
! style="text-align:left;" | Status
 
 
! style="text-align:left;" | Standard
 
! style="text-align:left;" | Standard
 
! style="text-align:left;" | Description
 
! style="text-align:left;" | Description
 +
! style="text-align:left;" | Status
 
! style="text-align:left;" | Comments
 
! style="text-align:left;" | Comments
 
|-
 
|-
 +
| [https://tools.ietf.org/html/rfc4301 RFC 4301 ]
 +
| Security Architecture for the Internet Protocol
 
| v
 
| v
| [https://tools.ietf.org/html/rfc4301 RFC 4301 ]
 
| Security Architecture for the Internet Protocol
 
 
|
 
|
 
|-
 
|-
| v
 
 
| [https://tools.ietf.org/html/rfc4302 RFC 4302 ]
 
| [https://tools.ietf.org/html/rfc4302 RFC 4302 ]
 
| IP Authentication Header (AH)
 
| IP Authentication Header (AH)
 +
| v
 
|
 
|
 
|-
 
|-
| v
 
 
| [https://tools.ietf.org/html/rfc4303 RFC 4303 ]
 
| [https://tools.ietf.org/html/rfc4303 RFC 4303 ]
 
| IP Encapsulating Security Payload (ESP)
 
| IP Encapsulating Security Payload (ESP)
 +
| v
 
|
 
|
 
|-
 
|-
|
 
 
| [https://tools.ietf.org/html/rfc4308 RFC 4308 ]
 
| [https://tools.ietf.org/html/rfc4308 RFC 4308 ]
 
| Cryptographic Suites for IPsec
 
| Cryptographic Suites for IPsec
 +
|
 
|
 
|
 
|-
 
|-
| v
 
 
| [https://tools.ietf.org/html/rfc7321 RFC 7321 ]
 
| [https://tools.ietf.org/html/rfc7321 RFC 7321 ]
 
| Cryptographic Algorithm Implementation Requirements and Usage Guidance for ESP and AH Extensions
 
| Cryptographic Algorithm Implementation Requirements and Usage Guidance for ESP and AH Extensions
 +
| v
 
|
 
|
 
|-
 
|-
| v
 
 
| [https://tools.ietf.org/html/rfc2410 RFC 2410 ]
 
| [https://tools.ietf.org/html/rfc2410 RFC 2410 ]
 
| The NULL Encryption Algorithm and Its Use With IPsec
 
| The NULL Encryption Algorithm and Its Use With IPsec
 +
| v
 
|
 
|
 
|-
 
|-
| v
 
 
| [https://tools.ietf.org/html/rfc2451 RFC 2451 ]  
 
| [https://tools.ietf.org/html/rfc2451 RFC 2451 ]  
 
| The ESP CBC-Mode Cipher Algorithms
 
| The ESP CBC-Mode Cipher Algorithms
 +
| v
 
|
 
|
 
|-
 
|-
| v
 
 
| [https://tools.ietf.org/html/rfc3602 RFC 3602 ]  
 
| [https://tools.ietf.org/html/rfc3602 RFC 3602 ]  
 
| The AES-CBC Cipher Algorithm and Its Use with IPsec
 
| The AES-CBC Cipher Algorithm and Its Use with IPsec
 +
| v
 
|
 
|
 
|-
 
|-
| v
 
 
| [https://tools.ietf.org/html/rfc3948 RFC 3948 ]  
 
| [https://tools.ietf.org/html/rfc3948 RFC 3948 ]  
 
| UDP Encapsulation of IPsec ESP Packets
 
| UDP Encapsulation of IPsec ESP Packets
 +
| v
 
|
 
|
 
|-
 
|-
| v
 
 
| [https://tools.ietf.org/html/rfc3686 RFC 3686 ]  
 
| [https://tools.ietf.org/html/rfc3686 RFC 3686 ]  
 
| Using Advanced Encryption Standard (AES) Counter Mode With IPsec Encapsulating Security Payload (ESP)
 
| Using Advanced Encryption Standard (AES) Counter Mode With IPsec Encapsulating Security Payload (ESP)
 +
| v
 
|
 
|
 
|-
 
|-
| v
 
 
| [https://tools.ietf.org/html/rfc4106 RFC 4106 ]  
 
| [https://tools.ietf.org/html/rfc4106 RFC 4106 ]  
 
| The Use of Galois/Counter Mode (GCM) in IPsec ESP
 
| The Use of Galois/Counter Mode (GCM) in IPsec ESP
 +
| v
 
|
 
|
 
|-
 
|-
| v
 
 
| [https://tools.ietf.org/html/rfc4304 RFC 4304 ]  
 
| [https://tools.ietf.org/html/rfc4304 RFC 4304 ]  
 
| Extended Sequence Number (ESN) Addendum to IPsec DOI for ISAKMP
 
| Extended Sequence Number (ESN) Addendum to IPsec DOI for ISAKMP
 +
| v
 
|
 
|
 
|-
 
|-
| v
 
 
| [https://tools.ietf.org/html/rfc4309 RFC 4309 ]  
 
| [https://tools.ietf.org/html/rfc4309 RFC 4309 ]  
 
| Using Advanced Encryption Standard (AES) CCM Mode with IPsec ESP
 
| Using Advanced Encryption Standard (AES) CCM Mode with IPsec ESP
 +
| v
 
|
 
|
 
|-
 
|-
| X
 
 
| [https://tools.ietf.org/html/rfc4494 RFC 4494 ]  
 
| [https://tools.ietf.org/html/rfc4494 RFC 4494 ]  
 
| The AES-CMAC-96 Algorithm and Its Use with IPsec
 
| The AES-CMAC-96 Algorithm and Its Use with IPsec
 +
| X
 
|
 
|
 
|-
 
|-
| X
 
 
| [https://tools.ietf.org/html/rfc4543 RFC 4543 ]  
 
| [https://tools.ietf.org/html/rfc4543 RFC 4543 ]  
 
| The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH
 
| The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH
 +
| X
 
| Kernel support is availble, ike support is not
 
| Kernel support is availble, ike support is not
 
|-
 
|-
| v
 
 
| [https://tools.ietf.org/html/rfc4868 RFC 4868 ]  
 
| [https://tools.ietf.org/html/rfc4868 RFC 4868 ]  
 
| Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with IPsec
 
| Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with IPsec
 +
| v
 
|
 
|
 
|-
 
|-
| v
 
 
| [https://tools.ietf.org/html/rfc5114 RFC 5114 ]  
 
| [https://tools.ietf.org/html/rfc5114 RFC 5114 ]  
 
| Additional Diffie-Hellman Groups for Use with IETF Standards
 
| Additional Diffie-Hellman Groups for Use with IETF Standards
 +
| v
 
| Only DH22,23,24 - remainder planned
 
| Only DH22,23,24 - remainder planned
 
|-
 
|-
| v
 
 
| [https://tools.ietf.org/html/rfc5529 RFC 5529 ]  
 
| [https://tools.ietf.org/html/rfc5529 RFC 5529 ]  
 
| Modes of Operation for Camellia for Use with IPsec
 
| Modes of Operation for Camellia for Use with IPsec
 +
| v
 
|
 
|
 
|-
 
|-
| X
 
 
| [https://tools.ietf.org/html/rfc5660 RFC 5660 ]  
 
| [https://tools.ietf.org/html/rfc5660 RFC 5660 ]  
 
| IPsec Channels: Connection Latching
 
| IPsec Channels: Connection Latching
 +
| X
 
|  
 
|  
 
|-
 
|-
| N/A
 
 
| [https://tools.ietf.org/html/rfc5879 RFC 5879 ]  
 
| [https://tools.ietf.org/html/rfc5879 RFC 5879 ]  
 
| Heuristics for Detecting ESP-NULL Packets
 
| Heuristics for Detecting ESP-NULL Packets
 +
| N/A
 
|
 
|
 
|-
 
|-
| X
 
 
| [https://tools.ietf.org/html/rfc5840 RFC 5840 ]  
 
| [https://tools.ietf.org/html/rfc5840 RFC 5840 ]  
 
| Wrapped Encapsulating Security Payload (ESP) for Traffic Visibility
 
| Wrapped Encapsulating Security Payload (ESP) for Traffic Visibility
 +
| X
 
|
 
|
 
|-
 
|-
| v
 
 
| [https://tools.ietf.org/html/rfc6379 RFC 6379 ]  
 
| [https://tools.ietf.org/html/rfc6379 RFC 6379 ]  
 
| Suite B Cryptographic Suites for IPsec
 
| Suite B Cryptographic Suites for IPsec
 +
| v
 
| Not all ciphers are implemented
 
| Not all ciphers are implemented
 
|-
 
|-
| v
 
 
| [https://tools.ietf.org/html/rfc6380 RFC 6380 ]  
 
| [https://tools.ietf.org/html/rfc6380 RFC 6380 ]  
 
| Suite B Profile for Internet Protocol Security (IPsec)
 
| Suite B Profile for Internet Protocol Security (IPsec)
 +
| v
 
|
 
|
 
|-
 
|-
| ?
 
 
| [https://tools.ietf.org/html/rfc6479 RFC 6479 ]  
 
| [https://tools.ietf.org/html/rfc6479 RFC 6479 ]  
 
| IPsec Anti-Replay Algorithm without Bit Shifting
 
| IPsec Anti-Replay Algorithm without Bit Shifting
 +
| ?
 
|
 
|
 
|-
 
|-
| N/A
 
 
| [https://tools.ietf.org/html/rfc7018 RFC 7018 ]  
 
| [https://tools.ietf.org/html/rfc7018 RFC 7018 ]  
 
| Auto-Discovery VPN Problem Statement and Requirements
 
| Auto-Discovery VPN Problem Statement and Requirements
 +
| N/A
 
|
 
|
 
|-
 
|-
| v
 
 
| [https://tools.ietf.org/html/rfc7321 RFC 7321]
 
| [https://tools.ietf.org/html/rfc7321 RFC 7321]
 
| Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH)
 
| Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH)
 +
| v
 
| Obsoleted by [http://tools.ietf.org/html/rfc8221 RFC 8221]
 
| Obsoleted by [http://tools.ietf.org/html/rfc8221 RFC 8221]
 
|-
 
|-
| v
 
 
| [https://tools.ietf.org/html/rfc8221 RFC 8221]
 
| [https://tools.ietf.org/html/rfc8221 RFC 8221]
 
| Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH)
 
| Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH)
 +
| v
 
| Obsoletes [http://tools.ietf.org/html/rfc7321 RFC 7321]
 
| Obsoletes [http://tools.ietf.org/html/rfc7321 RFC 7321]
 
|-
 
|-
| v
 
 
| [https://tools.ietf.org/html/draft-antony-ipsecme-oppo-nat draft-antony-ipsecme-oppo-nat]
 
| [https://tools.ietf.org/html/draft-antony-ipsecme-oppo-nat draft-antony-ipsecme-oppo-nat]
 
| NAT-Traversal support for Opportunistic IPsec
 
| NAT-Traversal support for Opportunistic IPsec
 +
| v
 
| Experimental
 
| Experimental
 
|}
 
|}
  
== PF_KEY V2 ==
+
== PF KEY V2 ==
  
 
{| class="wikitable"
 
{| class="wikitable"
! style="text-align:left;" | Status
 
 
! style="text-align:left;" | Standard
 
! style="text-align:left;" | Standard
 
! style="text-align:left;" | Description
 
! style="text-align:left;" | Description
 +
! style="text-align:left;" | Status
 
! style="text-align:left;" | Comments
 
! style="text-align:left;" | Comments
 
|-
 
|-
|
 
 
| [https://datatracker.ietf.org/doc/html/rfc2367 RFC-2367]
 
| [https://datatracker.ietf.org/doc/html/rfc2367 RFC-2367]
 
| PF_KEY Key Management API, Version 2
 
| PF_KEY Key Management API, Version 2
| Defines SADB messages
+
|  
 +
| SADB messages to set up kernel state
 
|-
 
|-
|
 
 
| [https://datatracker.ietf.org/doc/html/draft-schilcher-mobike-pfkey-extension-01 draft-schilcher-mobike-pfkey-extension-01]
 
| [https://datatracker.ietf.org/doc/html/draft-schilcher-mobike-pfkey-extension-01 draft-schilcher-mobike-pfkey-extension-01]
 
| MOBIKE Extensions for PF_KEY
 
| MOBIKE Extensions for PF_KEY
| Defines KAME's SPD extensions
+
|
 +
| also defines KAME's SPD extensions to set up kernel policy
 
|}
 
|}

Revision as of 06:48, 14 January 2022

The following table lists the RFCs, drafts and standards related to IKE and IPsec. An overview of IKE and IPsec related RFC's is available in RFC 6071.

Implementation status can be: implemented (v), planned (p), not implemented (-) or will not be implemented (X)

IKEv1

Standard Description Status Comments
RFC 2407 IPsec Domain of Interpretation for ISAKMP (IPsec DoI) v
RFC 2408 Internet Security Association and Key Management Protocol (ISAKMP) v
RFC 2409 Internet Key Exchange (IKE) v Revised Mode not implemented
RFC 3526 More Modular Exponential (MODP) Diffie-Hellman groups v
RFC 3706 A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers v known as "DPD"
RFC 3947 Negotiation of NAT-Traversal in the IKE v known as "NATT" or "ESPinUDP"
draft-dukes-ike-mode-cfg The ISAKMP Configuration Method v
draft-ietf-ipsec-isakmp-xauth Extended Authentication within ISAKMP/Oakley (XAUTH) v
draft-jenkins-ipsec-rekeying IPsec Re-keying Issues v Implementation differs on some point but accomplishes the same
draft-ietf-ipsec-isakmp-hybrid-auth A Hybrid Authentication Mode for IKE X

IKEv2

Standard Description Status Comments
RFC 4307 Cryptographic Algorithms for Use in the Internet Key Exchange Version 2 (IKEv2) v Obsoleted by RFC 8247
RFC 7296 Internet Key Exchange Protocol Version 2 (IKEv2) v Obsoletes RFC 5996 and RFC 4718
RFC 7815 Minimal Internet Key Exchange Version 2 (IKEv2) Initiator Implementation X This is a really just a subset of IKEv2 RFC 7296
RFC 4478 Repeated Authentication in Internet Key Exchange (IKEv2) Protocol p
RFC 4555 IKEv2 Mobility and Multihoming Protocol (MOBIKE) v "Additional Addresses" not supported
RFC 4595 Use of IKEv2 in the Fibre Channel Security Association Management Protocol -
RFC 4615 The AES-Cipher-based Message Authentication Code-Pseudo-Random Function-128 (AES-CMAC-PRF-128) Algorithm for IKE p CMAC is supoorted as INTEG (for ESP/IKE) but not as PRF(for IKE) - this is pending support in the NSS library.
RFC 4621 Design of the IKEv2 Mobility and Multihoming (MOBIKE) Protocol N/A
RFC 4739 Multiple Authentication Exchanges in the IKEv2 Protocol p
RFC 4754 IKE and IKEv2 Authentication Using the Elliptic Curve Digital Signature Algorithm (ECDSA) v3.26
RFC 4806 Online Certificate Status Protocol (OCSP) Extensions to IKEv2 - Regular OCSP fetching outside of IKE is supported.
RFC 5026 Mobile IPv6 Bootstrapping in Split Scenario -
RFC 5282 Using Authenticated Encryption Algorithms with the Encrypted Payload of the IKEv2 Protocol v Only AES_GCM is implemented. AES_CCM requires support in the nss library
RFC 5685 Redirect Mechanism for IKEv2 v3.28
RFC 5857 IKEv2 Extensions to Support Robust Header Compression over IPsec -
RFC 5723 Internet Key Exchange Protocol Version 2 (IKEv2) Session Resumption p
RFC 5739 IPv6 Configuration in Internet Key Exchange Protocol Version 2 (IKEv2) -
RFC 5903 ECP Groups for IKE and IKEv2 v
RFC 5930 Using Advanced Encryption Standard Counter Mode (AES-CTR) with the Internet Key Exchange version 02 (IKEv2) Protocol v
RFC 5998 An Extension for EAP-only Authentication in IKEv2 -
RFC 6023 A Childless Initiation of the Internet Key Exchange Version 2 (IKEv2) Security Association (SA) -
RFC 6027 IPsec Cluster Problem Statement N/A
RFC 6290 A Quick Crash Detection Method for the Internet Key Exchange Protocol (IKE) -
RFC 6311 Protocol Support for High Availability of IKEv2/IPsec -
RFC 6467 Secure Password Framework for IKEv2 -
RFC 6617 Secure Pre-Shared Key (PSK) Authentication for the Internet Key Exchange Protocol (IKE) -
RFC 6628 Efficient Augmented Password-Only Authentication and Key Exchange for IKEv2 -
RFC 6631 Password Authenticated Connection Establishment with IKEv2 -
RFC 6867 An Internet Key Exchange Protocol Version 2 (IKEv2) Extension to Support EAP Re-authentication Protocol (ERP) -
RFC 6932 Brainpool Elliptic Curves for the IKE Group Description Registry -
RFC 6954 Using the Elliptic Curve Cryptography (ECC) Brainpool Curves for the Internet Key Exchange Protocol Version 2 (IKEv2) -
RFC 6989 Additional Diffie-Hellman Tests for the Internet Key Exchange Protocol Version 2 (IKEv2) N/A This work is or needs to be done inside the nss library
RFC 7383 Internet Key Exchange Protocol Version 2 (IKEv2) Message Fragmentation v
RFC 7427 Signature Authentication in the Internet Key Exchange Version 2 (IKEv2) v Initial implementation only supports RSA-v1.5. More planned in near future
RFC 7619 The NULL Authentication Method in the Internet Key Exchange Protocol Version 2 (IKEv2) v
RFC 7634 ChaCha20, Poly1305, and Their Use in the IKE Protocol and IPsec v3.26
RFC 7651 3GPP IP Multimedia Subsystems (IMS) Option for the Internet Key Exchange Protocol Version 2 (IKEv2) -
RFC 7670 Generic Raw Public-Key Support for IKEv2 p raw RSA public keys are supported using the core IKE RFCs
RFC 8019 Protecting Internet Key Exchange Protocol Version 2 (IKEv2) Implementations from Distributed Denial-of-Service Attacks -
RFC 8247 Algorithm Implementation Requirements and Usage Guidance for the Internet Key Exchange Protocol Version 2 (IKEv2) v
RFC 8229 TCP Encapsulation of IKE and IPsec Packets v IKE over TCP implemented - waiting on Linux kernel for ESP over TCP implementation. Does not currently support IKE/ESP over TLS
RFC 8784 Postquantum Preshared Keys for IKEv2 v3.25
draft-brunner-ikev2-mediation IKEv2 Mediation Extension -
draft-laganier-ike-ipv6-cga Using IKE with IPv6 Cryptographically Generated Addresses -
draft-ietf-ipsecme-split-dns Split DNS Configuration for IKEv2 p INTERNAL_DOMAIN implemented, INTERNAL_TA_DNSSEC not yet implemented
draft-ietf-ipsecme-ikev2-intermediate Intermediate Exchange in the IKEv2 Protocol v Experimental
draft-ietf-ipsecme-labeled-ipsec Labeled IPsec Traffic Selector support for IKEv2 v4.4 Internet-Draft

IPsec

Standard Description Status Comments
RFC 4301 Security Architecture for the Internet Protocol v
RFC 4302 IP Authentication Header (AH) v
RFC 4303 IP Encapsulating Security Payload (ESP) v
RFC 4308 Cryptographic Suites for IPsec
RFC 7321 Cryptographic Algorithm Implementation Requirements and Usage Guidance for ESP and AH Extensions v
RFC 2410 The NULL Encryption Algorithm and Its Use With IPsec v
RFC 2451 The ESP CBC-Mode Cipher Algorithms v
RFC 3602 The AES-CBC Cipher Algorithm and Its Use with IPsec v
RFC 3948 UDP Encapsulation of IPsec ESP Packets v
RFC 3686 Using Advanced Encryption Standard (AES) Counter Mode With IPsec Encapsulating Security Payload (ESP) v
RFC 4106 The Use of Galois/Counter Mode (GCM) in IPsec ESP v
RFC 4304 Extended Sequence Number (ESN) Addendum to IPsec DOI for ISAKMP v
RFC 4309 Using Advanced Encryption Standard (AES) CCM Mode with IPsec ESP v
RFC 4494 The AES-CMAC-96 Algorithm and Its Use with IPsec X
RFC 4543 The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH X Kernel support is availble, ike support is not
RFC 4868 Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with IPsec v
RFC 5114 Additional Diffie-Hellman Groups for Use with IETF Standards v Only DH22,23,24 - remainder planned
RFC 5529 Modes of Operation for Camellia for Use with IPsec v
RFC 5660 IPsec Channels: Connection Latching X
RFC 5879 Heuristics for Detecting ESP-NULL Packets N/A
RFC 5840 Wrapped Encapsulating Security Payload (ESP) for Traffic Visibility X
RFC 6379 Suite B Cryptographic Suites for IPsec v Not all ciphers are implemented
RFC 6380 Suite B Profile for Internet Protocol Security (IPsec) v
RFC 6479 IPsec Anti-Replay Algorithm without Bit Shifting ?
RFC 7018 Auto-Discovery VPN Problem Statement and Requirements N/A
RFC 7321 Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH) v Obsoleted by RFC 8221
RFC 8221 Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH) v Obsoletes RFC 7321
draft-antony-ipsecme-oppo-nat NAT-Traversal support for Opportunistic IPsec v Experimental

PF KEY V2

Standard Description Status Comments
RFC-2367 PF_KEY Key Management API, Version 2 SADB messages to set up kernel state
draft-schilcher-mobike-pfkey-extension-01 MOBIKE Extensions for PF_KEY also defines KAME's SPD extensions to set up kernel policy